[VMC on AWS] Unable to add VPN or unable to create rule mapping to VPN Tunnel Interface with any other interfaces
Article ID: 329417
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
This article provides information on how to resolve issues if you are unable to add VPN or create firewall rules with these errors.
Symptoms:
Symptoms:
- When user attempts to create any VPN settings (L2VPN, Route Based VPN, Policy Based VPN), the following error is received:
Error during creating objects of type:PolicyLableScope [/infra/labels/cgw-public, /infra/labels/cgw-cross-vpc, /infra/labels/cgw-vpn] can not mix VPN with other paths.
- When user attempts to create any compute gateway rules, the following error is received:
Scope [/infra/labels/cgw-cross-vpc, /infra/labels/cgw-all, /infra/labels/cgw-direct-connect, /infra/labels/cgw-vpn] can not mix VPN with other paths.
- This issue happens on SDDC version 1.9.
Cause
VPN Tunnel Interface can't be included with other interfaces in firewall rules on SDDC version 1.9. VPN configuration can't be added if VPN Tunnel Interfaces were included with other interfaces in firewall rules on earlier SDDC version and upgraded to SDDC version 1.9.
Resolution
This problem is going to be fixed in the future SDDC version.
Workaround:
Workaround:
- Identify all firewall rules in the compute gateway that are applied to the "VPN Tunnel Interface" with any other interfaces.
- Update all firewall rules identified in above step to either reference only the "VPN Tunnel Interface" or the other interfaces, do not mix VPN Tunnel Interface and others.
- If you need similar rules for VPN Tunnel Interface and other interfaces, please create two rules one to apply to the VPN Tunnel Interface, and another for other interfaces.
Feedback
Yes
No
Powered by
